[Openvpn-users] VPN without encryption and auth

2017-08-02 Thread Abi Askushi 
Hi All,

I am considering to setup OpenVPN without encryption and packet
authorization, as a way to lower the VPN overhead, by using the following
directives:

cipher none
auth none

Apart from having the tunneled traffic on the clear, since now it will not
be encrypted, what other implications are there for going like this?

My main concern for this setup is not the encryption, but low overhead.

FYI, when testing standard VPN setup, with AES-128-CBC cipher and auth
enabled, + lzo compression, I was receiving 14 - 18% VPN overhead on top
the total udp traffic observed on WAN. When disabling encryption and auth,
I received 6% overhead.

Thanx in advance for your feedback.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN compression ratio

2017-07-21 Thread Abi Askushi 
Thank you Selva. I confirm I can read those values from client side.


On Fri, Jul 21, 2017 at 4:01 AM, Selva Nair <selva.n...@gmail.com> wrote:

> Hi,
>
> On Thu, Jul 20, 2017 at 5:51 PM, Abi Askushi <rightkickt...@gmail.com>
> wrote:
>
>> Hi Selva,
>>
>> I have already enabled status file and I am getting the following:
>>
>> Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
>> TestClient,192.168.0.180:48699,*364880*,*269678*,Thu Jul 20 16:08:39 2017
>>
>> It seems that it has only two values for bytes received and sent.
>> I am using OpenVPN 2.2. Is this a feature provided from later VPN
>> versions?
>>
>
> I was referring to status on client. On server, compression stats is not
> included in the status output. Debug level info on compression stats is
> printed to the log at verb=9 but that may be too verbose to be useful for
> regular stats collection.
>
> As for 2.2, its very old -- upgrade.
>
> Selva
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN compression ratio

2017-07-21 Thread Abi Askushi 
I am getting the following values and I am a bit confused as they don't add
up:

OpenVPN STATISTICS
Updated,Fri Jul 21 07:12:57 2017
TUN/TAP read bytes,527859
TUN/TAP write bytes,678807
TCP/UDP read bytes,804077
TCP/UDP write bytes,702449
Auth read bytes,678807
pre-compress bytes,140358
post-compress bytes,131343
pre-decompress bytes,80635
post-decompress bytes,127443
END

I understand the following. Please correct me if I am wrong:

TUN/TAP read bytes,527859 : bytes received in tun interface (download)
TUN/TAP write bytes,678807: bytes sent in tun interface (upload)
TCP/UDP read bytes,804077: bytes received on WAN interface (this includes
VPN encapsulation)
TCP/UDP write bytes,702449: bytes sent on WAN interface (this includes VPN
encapsulation)
Auth read bytes,678807: ???
pre-compress bytes,140358: bytes to be sent in tun interface before they
are compressed (upload)
post-compress bytes,131343: bytes to be sent in tun interface after they
are compressed (upload)
pre-decompress bytes,80635: bytes received in tun interface before they are
decompressed (download)
post-decompress bytes,127443: bytes received in tun interface after they
are decompressed (download)

Why the values reported at the compression stats are so different from
TUN/TAP values? Don't they refer to the same payload traffic of VPN?

Thanx,
Abi

On Fri, Jul 21, 2017 at 10:02 AM, Abi Askushi <rightkickt...@gmail.com>
wrote:

> Thank you Selva. I confirm I can read those values from client side.
>
>
> On Fri, Jul 21, 2017 at 4:01 AM, Selva Nair <selva.n...@gmail.com> wrote:
>
>> Hi,
>>
>> On Thu, Jul 20, 2017 at 5:51 PM, Abi Askushi <rightkickt...@gmail.com>
>> wrote:
>>
>>> Hi Selva,
>>>
>>> I have already enabled status file and I am getting the following:
>>>
>>> Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
>>> TestClient,192.168.0.180:48699,*364880*,*269678*,Thu Jul 20 16:08:39
>>> 2017
>>>
>>> It seems that it has only two values for bytes received and sent.
>>> I am using OpenVPN 2.2. Is this a feature provided from later VPN
>>> versions?
>>>
>>
>> I was referring to status on client. On server, compression stats is not
>> included in the status output. Debug level info on compression stats is
>> printed to the log at verb=9 but that may be too verbose to be useful for
>> regular stats collection.
>>
>> As for 2.2, its very old -- upgrade.
>>
>> Selva
>>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN compression ratio

2017-07-20 Thread Abi Askushi 
Hi all,

Do you know of any way that one could calculate the OpenVPN compression
ration for a specific amount of traffic? Except from wireshark/tshark
measurements that one may attempt, is it any other way that one could query
this statistic perhaps from the openvpn service?

Thanx,
Abi
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN compression ratio

2017-07-20 Thread Abi Askushi 
Hi Selva,

I have already enabled status file and I am getting the following:

Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
TestClient,192.168.0.180:48699,*364880*,*269678*,Thu Jul 20 16:08:39 2017

It seems that it has only two values for bytes received and sent.
I am using OpenVPN 2.2. Is this a feature provided from later VPN versions?

Thanx,
Abi



On Fri, Jul 21, 2017 at 12:41 AM, Selva Nair <selva.n...@gmail.com> wrote:

> Hi,
>
> On Thu, Jul 20, 2017 at 5:04 PM, Abi Askushi <rightkickt...@gmail.com>
> wrote:
>
>> Hi all,
>>
>> Do you know of any way that one could calculate the OpenVPN compression
>> ration for a specific amount of traffic? Except from wireshark/tshark
>> measurements that one may attempt, is it any other way that one could query
>> this statistic perhaps from the openvpn service?
>>
>>
> The status output has the pre-compressed and post-compressed bytes info.
> To get the status, either use "--status filename interval" in the config,
> or send SIGUSR2 to the running process (status output goes to log), or
> connect to the management interface and type status.
>
> Selva
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] VPN without encryption and auth

2017-08-06 Thread Abi Askushi 
I would suggest to keep auth enabled, while having cipher none, to avoid
DoS attacks.

On Aug 6, 2017 11:35, "Yevgeny Kosarzhevsky"  wrote:

>
>
> On 2 August 2017 at 20:37, David Sommerseth  topphemmelig.net> wrote:
>
>>
>> Configuring OpenVPN without encryption is a peculiar use case I've
>> seldom quite understood, except if you're doing some research on various
>> crypto or network related scenarios.
>
>
> OpenVPN without encryption or with weak encryption using '--auth none
> --no-iv --no-replay' is still great tool for tunneling traffic over UDP
> protocol. IPIP, L2TP or other known tunneling solutions may be blocked in
> certain countries. This is the reason I would vote to keep no-iv option in
> upcoming 2.5 release.
>
> --
> Regards,
> Yevgeny
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] HA between two server on different sites.

2017-08-06 Thread Abi Askushi 
There are several ways that pass to my mind though it depends from the
exact requirements which would be the best approach:

1. Simple failover with multiple remote servers on the client side config.
You can even put weights here.

2. Have the servers on a cloud provider that provides virtual ip failover
between remote sites

3. Script your way. For exaple i had scripted a simple monitoring agent
that his job was to open and close the vpn ports through iptables depending
on the availability of the peer server (+ internet connectivity checks to
avoid false positives) and have multiple server lines on the remote
directive of client config.

When you mention that you had problem with the tunnel routes what exactly
was the problem? Is it related with ospf or vpn routes? Openvpn has up/down
directives that you can use to trigger and run scripts to clean routes or
do other tasks.


On Jul 26, 2017 00:00, "Marcelo Moraes" 
wrote:

Hi everybody.



First of all, I'm sorry. This may be a very simple matter, but I'm not
succeeding in solving it.



I need to make a high availability between two openvpn servers that are in
two different physical locations. I thought first of making a server and a
client for each connection and propagating the routes through ospf. I also
thought about creating two servers, and adding them to a single multi-line
client with the remote command.


What would be the best way to do this? Of these two forms mentioned
above I am having problems with the tunnel routes, because if a server
goes offline for some reason, when it returns, the openvpn service can
not go up that route because there is already a same route through
another path and then the server Error and stops.


Any idea is welcome


-- 







Atenciosamente
Marcelo Moraes | Suporte TI
Fone. 17-3330-5000 (ramal 5006)
Skype. mmoraes.campofert


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN with LZ4

2017-08-24 Thread Abi Askushi 
Hi All,

I have compiled that latest openvpn 2.4.3, as below:

apt-get install libpam0g-dev liblzo2-dev liblz4-dev

./configure --build=x86_64-linux-gnu --prefix=/usr --sysconfdir=/etc
OPENSSL_LIBS="-L/usr/local/ssl/lib -lssl -lcrypto"
OPENSSL_CFLAGS="-I/usr/local/ssl/include" --disable-debug
--disable-dependency-tracking --with-crypto-library=openssl
--enable-iproute2

make

make install


Then I created a deb file from the above.

Do I need to install any LZ4 libraries on other devices where the resulting
openvpn deb file is to be installed?

I was thinking that Lz4 tools might not be needed and that LZ4 compression
will be handled from the kernel. (When installing the deb file without
installing any LZ4 user space tools I did not receive any warning or error
and the VPN tunnnel was able to establish)


Thanx,

Abi
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN with LZ4

2017-08-25 Thread Abi Askushi 
Thanx Gert for the explanation.

I get the following:

ldd openvpn
linux-vdso.so.1 =>  (0x7ffc2e1da000)
libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x7fd04c672000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2
(0x7fd04c45c000)
liblzo2.so.2 => /usr/lib/x86_64-linux-gnu/liblzo2.so.2
(0x7fd04c23b000)
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x7fd04bfda000)
libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x7fd04bbe)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7fd04b9dc000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7fd04b64f000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x7fd04b438000)
/lib64/ld-linux-x86-64.so.2 (0x7fd04c88a000)

Seems that lz4 is statically linked as is it not shown above and the deb
file is sufficient to deploy this new update without installing any other
packages.

Thanx,
Abi

On Thu, Aug 24, 2017 at 10:08 PM, Gert Doering <g...@greenie.muc.de> wrote:

> Hi,
>
> this is a question better suited for openvpn-devel, really...
>
> On Thu, Aug 24, 2017 at 08:12:13PM +0300, Abi Askushi wrote:
> > apt-get install libpam0g-dev liblzo2-dev liblz4-dev
> [..]
> > Then I created a deb file from the above.
> >
> > Do I need to install any LZ4 libraries on other devices where the
> resulting
> > openvpn deb file is to be installed?
>
> That depends on whether liblz4-dev installs a shared library (liblz4.so)
> or only a static library (liblz4.a).  The static library is fully embedded
> into the openvpn binary, so you do not need anything "extra" - for the
> dynamic library, you'll likely need "liblz4" on the target system.
>
> > I was thinking that Lz4 tools might not be needed and that LZ4
> compression
> > will be handled from the kernel. (When installing the deb file without
> > installing any LZ4 user space tools I did not receive any warning or
> error
> > and the VPN tunnnel was able to establish)
>
> OpenVPN does not use kernel side compression.
>
> If you can start the openvpn binary, everything that is needed is there
> (so, either liblz4.so was already there on the system, or it liblz4.a
> was statically linked).
>
> You can find out running "ldd openvpn" on your openvpn binary - if
> liblz4. shows up, it needs the dynamic library.  Everything
> that does *not* show up is built-in (or not a direct dependency).
>
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
>//
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025g...@net.informatik.tu-
> muenchen.de
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users